b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n             INDEPENDENT EVALUATION OF THE\n         NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n        COMPLIANCE WITH THE FEDERAL INFORMATION\n          SECURITY MANAGEMENT ACT (FISMA) 2009\n\n            Report #OIG-09-02          October 16, 2009\n\n\n\n\n                         William A. DeSarno\n                         Inspector General\n\n\n    Released by:                              Auditor-in-Charge:\n\n\n\n\n    James Hagen                            W. Marvin Stith, CISA\n  Deputy IG for Audits              Sr Information Technology Auditor\n\x0c        REPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n        COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n                                               Contents\n\nSection                                                                                    Page\n\n   I       EXECUTIVE SUMMARY                                                                1\n\n  II       BACKGROUND                                                                       3\n\n  III      OBJECTIVE                                                                        4\n\n  IV       METHODOLOGY AND SCOPE                                                            4\n\n  V        RESULTS IN DETAIL                                                                6\n\n                  1.    NCUA needs to improve its security                                   6\n                  configuration program.\n\n                  2.   NCUA needs to improve its vulnerability                               8\n                  management procedures.\n\n                  3.    NCUA needs to implement continuing education                         9\n                  requirements for its information technology (IT)\n                  employees.\n\n                  4.     NCUA needs to enhance its procedures for                           11\n                  ensuring terminated users and inactive user accounts\n                  are disabled or removed from NCUA and external\n                  systems.\n\n                  5.   NCUA needs to improve its System Software                            12\n                  Change Procedures.\n\n                  6.     NCUA needs to establish adequate segregation                       15\n                  of duty controls for its applications.\n\n                  7.   NCUA needs to complete e-authentication risk                         16\n                  assessments for its FISMA systems.\n\n                  8.     NCUA needs to incorporate specific security and                    17\n                  response time requirements in the Service Level\n                  Agreement (SLA) for its Intrusion Detection System\n                  (IDS).\n\n                  9.    NCUA needs to improve its remote access                             18\n                  controls.\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n\n          10. NCUA needs to enhance its information privacy                         19\n          and security awareness program.\n\n          11. NCUA needs to update its web site privacy                             21\n          policy.\n\n          12. NCUA needs to improve its process for certifying                      22\n          its FISMA systems.\n\n          13. NCUA needs to complete its FY2009 security                            23\n          awareness training.\n\n          14. NCUA needs to complete an Authorization to                            23\n          Operate for one of its FISMA systems.\n\n          15. NCUA needs to improve its contingency planning                        24\n          program for its FISMA systems.\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n                               I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Richard S. Carson and Associates, Inc (Carson Associates), to\nindependently evaluate its information systems and security program and controls for\ncompliance with the Federal Information Security Management Act (FISMA), Title III of\nthe E-Government Act of 2002.\n\nCarson Associates evaluated NCUA\xe2\x80\x99s security program through interviews,\ndocumentation reviews, technical configuration reviews, an after-hours walk-through,\nand sample testing. We evaluated NCUA against standards and requirements for\nfederal government agencies such as those provided through FISMA, the Government\nAccountability Office\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM),\nNational Institute of Standards and Technology (NIST) Special Publications (SPs), and\nOffice of Management and Budget (OMB) memoranda. We conducted an exit\nconference with NCUA on July 15, 2009, to discuss evaluation results.\n\nThe NCUA has worked to further strengthen its information technology (IT) security\nprogram during Fiscal Year (FY) 2009. NCUA\xe2\x80\x99s accomplishments during this period\ninclude:\n\n   \xef\x82\xb7   Installation of a change control management system for its IT systems;\n   \xef\x82\xb7   Improved employee enter/exit procedures;\n   \xef\x82\xb7   Enhanced policies and procedures;\n   \xef\x82\xb7   Improved contingency plan testing;\n   \xef\x82\xb7   Completed re-certification of a major certification & accreditation (C&A) package;\n   \xef\x82\xb7   Currently undergoing a re-certification of one major C&A package;\n   \xef\x82\xb7   Improved plan of action and milestones (POA&M) process; and\n   \xef\x82\xb7   Completed control testing for all six systems\n\nWe identified five areas remaining from last year\xe2\x80\x99s FISMA evaluation that NCUA officials\nneed to address:\n\n   \xef\x82\xb7   Improve its vulnerability management procedures;\n   \xef\x82\xb7   Implement continuing education requirements for its information technology (IT)\n       employees;\n   \xef\x82\xb7   Establish adequate segregation of duty controls for its applications;\n   \xef\x82\xb7   Complete e-authentication risk assessments for its FISMA systems; and\n   \xef\x82\xb7   Improve its contingency planning program for its FISMA systems.\n\nIn addition, we identified 10 new findings this year where NCUA could improve IT\nsecurity controls. Specifically, NCUA needs to:\n\n   \xef\x82\xb7   Improve its security configuration program;\n   \xef\x82\xb7   Enhance its procedures for ensuring terminated users and inactive user accounts\n       are removed from its systems;\n\n\n                                            1\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n   \xef\x82\xb7   Improve its System Software Change Procedures;\n   \xef\x82\xb7   Incorporate specific security and response time requirements into the Service\n       Level Agreement (SLA) for its Intrusion Detection System (IDS);\n   \xef\x82\xb7   Improve its remote access controls;\n   \xef\x82\xb7   Enhance its information privacy and security awareness program;\n   \xef\x82\xb7   Update its web site privacy policy;\n   \xef\x82\xb7   Improve its process for certifying its FISMA systems;\n   \xef\x82\xb7   Complete its FY2009 security awareness training; and\n   \xef\x82\xb7   Complete an Authorization to Operate for one of its FISMA systems.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n\n\n\n                                           2\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n                                   II. BACKGROUND\n\nThis section provides background information on FISMA and NCUA.\n\nFederal Information Security Management Act\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. The Federal Information\nSecurity Management Act (FISMA) permanently reauthorized the framework laid out in\nthe Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. FISMA continues the annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further\nstrengthening the security of the federal government\xe2\x80\x99s information and information\nsystems, such as development of minimum standards for agency systems. In general,\nFISMA:\n\n   \xef\x82\xb7   Lays out a framework for annual information technology security reviews,\n       reporting, and remediation plans.\n\n   \xef\x82\xb7   Codifies existing OMB security policies, including those specified in Circular\n       A-130, Management of Federal Information Resources, and Appendix III.\n\n   \xef\x82\xb7   Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n       Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n\n   \xef\x82\xb7   Tasks NIST with defining required security standards and controls for federal\n       information systems.\n\nOMB issued the 2009 Reporting Instructions for the Federal Information Security\nManagement Act on August 20, 2009. This document provides clarification to agencies\nfor implementing, meeting, and reporting FISMA requirements to OMB and Congress.\n\nNational Credit Union Administration (NCUA)\n\nNCUA is the independent federal agency that charters, supervises, and insures the\nnation\xe2\x80\x99s federal credit unions. NCUA insures many state-chartered credit unions as\nwell. NCUA is funded by the credit unions it supervises and insures. NCUA's mission is\nto foster the safety and soundness of federally-insured credit unions and to better\nenable the credit union community to extend credit for productive and provident\npurposes to all Americans, particularly those of modest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\n\n                                            3\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n\nNCUA has a full-time three-member Board of Directors (Board) appointed by the\nPresident of the United States and confirmed by the Senate. The Board consists of a\nchairman, vice chairman, and member. No more than two board members can be from\nthe same political party, and each member serves a staggered six-year term. NCUA\xe2\x80\x99s\nBoard regularly meets in open session each month with the exception of August, in\nAlexandria, Virginia. In addition to its central office in Alexandria, NCUA has five\nregional offices and the Asset Management and Assistance Center (AMAC).\n\n\n                                    III. OBJECTIVE\n\nThe audit objective was to assist the OIG in performing an independent evaluation of\nNCUA information security policies and procedures for compliance with FISMA and\nfederal regulations and standards. We evaluated NCUA\xe2\x80\x99s efforts related to:\n\n   \xef\x82\xb7   Efficiently and effectively managing its information security program;\n   \xef\x82\xb7   Meeting responsibilities under FISMA;\n   \xef\x82\xb7   Remediating prior audit weaknesses pertaining to FISMA and other security\n       weaknesses identified; and\n   \xef\x82\xb7   Implementing its plans of action and milestones (POA&M)\n\nIn addition, the audit was required to provide sufficient supporting evidence of NCUA\xe2\x80\x99s\nsecurity program evaluation to enable the OIG to report to OMB.\n\n\n                          IV. METHODOLOGY AND SCOPE\n\nWe evaluated NCUA\xe2\x80\x99s information technology (IT) security program and practices\nagainst such standards and requirements as those provided through FISMA, the\nGovernment Accountability Office\xe2\x80\x99s Federal Information System Controls Audit Manual\n(FISCAM), National Institute of Standards and Technology (NIST) Special Publications\n(SPs), and Office of Management and Budget (OMB) memoranda.\n\nWe review IT security control techniques for all of NCUA\xe2\x80\x99s major information systems on\na rotational basis. During this evaluation, we assessed NCUA\xe2\x80\x99s controls over security\nplanning and program management, segregation of duties, privacy and security\nawareness training, physical and logical access, and incident response. In addition, we\nevaluated areas required to report under OMB M-09-29, such as reviews of privacy and\nbreach notification, certification and accreditation (C&A) documentation including\nsystem security plans, risk assessments, contingency plans, and certification reports.\nFurthermore, we reviewed existing IT security controls and identified weaknesses\nimpacting certain general support system (GSS) components, application security (to\ninclude change controls and configuration management), and service continuity.\n\n\n\n\n                                           4\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n\nWe conducted our fieldwork from May 2009 through October 2009. We performed our\naudit in accordance with generally accepted government auditing standards (GAGAS),\naudit standards promulgated by the American Institute of Certified Public Accountants\n(AICPA), and information systems standards issued by the Information Systems Audit &\nControl Association (ISACA).\n\n\n\n\n                                           5\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n                                         V. RESULTS IN DETAIL\n\nSecurity program planning and management controls are designed to provide the\nframework and continuing cycle of activity for managing risk, developing security\npolicies, assigning responsibilities, and monitoring the adequacy of an entity's\ncomputer-related controls. NCUA has made progress in addressing last year\xe2\x80\x99s reported\ndeficiencies; however, some prior year deficiencies remain. In addition, we identified\nother areas for improvement that require management's attention. We discuss these\nissues below.\n\n\n1. NCUA needs to improve its security configuration program.\n\nNCUA has established a configuration guide for its workstation and server operating\nsystems. However, NCUA has not documented its compliance with or variances from\nNIST baseline security configurations for its workstations. In addition, NCUA has not\nimplemented the NIST-approved security configurations for its servers and network\ndevices (e.g., routers, switches, firewalls etc). Furthermore, NCUA has not\nimplemented a procedure and tool to verify its workstations, server and network device\nconfigurations against the NIST baseline security configurations.\n\nFISMA requires each agency to determine minimally acceptable system configuration\nrequirements and ensure compliance with them.1 OMB Memorandum M-07-11 directed\nagencies using Windows XP or planning to upgrade to the Vista operating system, to\nadopt OMB-mandated Federal Desktop Core Configuration (FDCC) security\nconfigurations. In addition, OMB Memorandum M-08-22 requires:\n\n    \xef\x82\xb7    Industry and government information technology providers to use Security\n         Content Automation Protocol (SCAP)2 validated tools with FDCC Scanner\n         capability to certify that their products operate correctly with FDCC configurations\n         and do not alter FDCC settings.\n\n    \xef\x82\xb7    Agencies to use SCAP tools to scan for both FDCC configurations and\n         configuration deviations approved by department or agency accrediting authority.\n\n    \xef\x82\xb7    Agencies to use SCAP tools when monitoring the use of these configurations as\n         part of FISMA continuous monitoring.\n\nNIST has made available through the National Checklist Program3, security\nconfiguration checklists4 for operating systems and applications that are widely used\n\n\n1\n  Section 3544(b)(2)(D)(iii)).\n2\n  SCAP enables validated security tools to perform automatic configuration checking using NCP checklists within this\ncategory.\n3\n  The National Checklist Program is the U.S. government repository of publicly available security checklists (or\nbenchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and\napplications.\n\n\n                                                         6\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nwithin the Federal Government. NIST encourages agencies to implement the\napplicable checklists into their environment and document any deviations from the\ncommon security configurations with justifications.\n\nNCUA upgraded its workstation operating system to Vista in early 2009. NCUA\xe2\x80\x99s\nconfiguration guide requires configuring agency workstations following the\nOMB-mandated Federal Desktop Core Configuration (FDCC) security configurations.\nHowever, while NCUA officials indicated they implemented FDCC security\nconfigurations (with variances), NCUA has not documented its compliance with and\nvariances from the baseline FDCC configurations.\n\nIn addition, NCUA has not implemented the applicable NIST security checklists\nprovided under the National Checklist Program to configure its servers and network\ndevices. NCUA indicates it uses the Microsoft Baseline Security Analyzer (MBSA) to\nprovide a baseline security configuration for and verify the configurations of its servers.\nHowever, the MBSA relies solely on Microsoft\xe2\x80\x99s recommended security settings and is\nnot an approved SCAP tool with Authenticated Configuration Scanner Capabilities. In\naddition, NCUA manually configures its network devices and stores the baseline\nconfigurations locally. However, NCUA does not use NIST baseline security\nconfiguration guidelines for the devices or an SCAP scanner with Authenticated\nConfiguration Scanner capabilities to ensure compliance of the network devices with the\nbaseline configurations.\n\nNCUA officials indicated they have not implemented the National Checklist Program for\nits servers due to IT staff resource constraints and additional security priorities taking\nprecedence. However, NCUA officials indicated they are evaluating approved SCAP\ntools. By not adopting the NIST-approved server security configuration checklist, NCUA\nis not implementing federally accepted server security standards. In addition, by not\nusing SCAP validated tools, NCUA cannot appropriately validate the implementation of\nthe National Checklist Program on its workstations, servers and network devices.\n\nRecommendation 1: We recommend that NCUA:\n\n    1) Select and implement a Security Content Automation Protocol (SCAP) validated\n       vulnerability scanner/appliance with Federal Desktop Core Configuration (FDCC)\n       Scanner and Authenticated Configuration Scanner capabilities;\n\n    2) Verify FDCC security configurations for its workstations using the FDCC scanner\n       capabilities and document the deviations; and\n\n\n\n\n4\n  A security configuration checklist essentially contains instructions or procedures for configuring an IT product to a\nbaseline level of security. A checklist might include: (a) Configuration files that automatically set various security\nsettings; (b) Documentation that guides the checklist user to manually configure software; (c) Documents that explain\nthe recommended methods to securely install and configure a device; and (d) Policy documents that set forth\nguidelines for such things as auditing, authentication security, and perimeter security.\n\n\n                                                           7\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n   3) Implement and verify NIST baseline security configurations for servers and\n      network devices using the Authenticated Configuration Scanner capabilities and\n      document the deviations.\n\nAgency Response: NCUA agrees with the recommendations and would like to note\nthat this finding has no impact on the actual security of NCUA systems.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions. The OIG also notes\nthat by using and verifying the common NIST configurations, NCUA will be helping\nimprove security, reduce costs, and decrease application-compatibility issues among\nand across federal government agencies.\n\n\n2. NCUA needs to improve its vulnerability management procedures.\n\nThis finding pertains to a FY 2007 finding which indicated a deficiency in the NCUA\nvulnerability management program, noting a number of ports/communication services\nwere available on specific NCUA servers. This finding was repeated in FY 2008.\n\nNIST Special Publication (SP) 800-53, Revision 2 guides that organizations conduct an\nassessment of the security controls in the information system to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and producing the\ndesired outcome with respect to meeting security requirements of the system. NIST SP\n800-53 also guides that the organization:\n\n      \xef\x82\xb7   Periodically scan for vulnerabilities in the information system and scan the\n          system when significant new vulnerabilities potentially affecting the system\n          are identified and reported.\n      \xef\x82\xb7   Employ vulnerability scanning tools and techniques that promote\n          interoperability among tools and automate parts of the vulnerability\n          management process by using standards for:\n          o Enumerating platforms, software flaws, and improper configurations;\n          o Formatting and making transparent, checklists and test procedures; and\n          o Measuring vulnerability impact.\n      \xef\x82\xb7   Analyze vulnerability scan reports and remediate legitimate vulnerabilities and\n          organizational assessment of risk.\n      \xef\x82\xb7   Share information obtained from the vulnerability scanning process with\n          designated personnel throughout the organization to help eliminate similar\n          vulnerabilities in other information systems.\n\nNCUA has implemented Microsoft\xe2\x80\x99s System Center Configuration Manager (SCCM)\nwith Windows Server Update Services (WSUS) to act as patch-level compliance\n\n\n                                            8\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nsoftware, and SolarWinds software to perform port scanning weekly until a vulnerability\nscanner appliance is installed. However, NCUA has not fully implemented a\ncomprehensive vulnerability management process to include vulnerability scanning,\nreporting, and remediation.\n\nNCUA officials indicated they are in the process of evaluating vulnerability\nscanners/appliances and creating procedures to implement the vulnerability scanning\nprocess with an expected completion date before the end of FY 2009. Although NCUA\nis currently scanning patch levels and open ports with SCCM, WSUS, and SolarWinds\nsoftware, these tools do not test for vulnerabilities with services running on the open\nports, misconfigurations, and other vulnerabilities in the environment (i.e., web\napplications, databases, etc). Therefore, NCUA\xe2\x80\x99s current processes do not provide\nNCUA with a comprehensive vulnerability management process, which may increase\nthe risk of an unauthorized person gaining access to NCUA systems through\nexploitation of unknown vulnerabilities.\n\nRecommendation 2: We recommend that NCUA implement procedures to\ncontinuously monitor open ports and services on NCUA servers and address\nvulnerabilities.\n\nAgency Response: NCUA agrees and is working on implementing a solution.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n3. NCUA needs to implement continuing education requirements for its\n   information technology (IT) employees.\n\nNCUA has not established training requirements for its IT employees or a mechanism to\neffectively track and report the training taken. This is a repeat finding from the FY 2007\nand FY 2008 FISMA evaluations.\n\nNIST SP 800-53, Revision 2, guides that organizations provide system managers,\nsystem and network administrators, and other personnel having access to system-level\nsoftware with adequate technical training to perform their assigned duties. It also\nguides that the organization document and monitor individual information system\nsecurity training activities including basic security awareness training and specific\ninformation system security training. In addition, the NCUA Agency Wide Information\nSecurity Policy indicates that training oversight includes general awareness training and\nspecific training for people with significant security responsibilities. The policy requires\nthe CIO to ensure adequate training is planned for NCUA.\n\n\n\n\n                                             9\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nIn response to our FY 2008 FISMA recommendations:\n\n   \xef\x82\xb7   OCIO officials agreed to establish and document continuing education\n       requirements for IT employees in each employee\xe2\x80\x99s Individual Development Plan.\n\n   \xef\x82\xb7   OHR officials indicated that by April 2009, they would implement the web-based\n       Learning Management System (LMS) to monitor and track employee training\n       records.\n\nWe determined that while OCIO managers indicated they were researching training for\ntheir IT employees, they have not established or documented continuing education\nrequirements. In addition, OHR officials indicated that due to delays with the system\nprovider and internal resource constraints, they were unable to meet the planned\ncompletion date. The officials indicated they anticipated beginning to implement the\nLMS in August 2009, with full implementation expected by September or October 2009.\n\nBy not establishing continuing education requirements and requiring specific\nsecurity-related training for its IT employees, NCUA cannot ensure the IT employees\nhave the most current technical knowledge to effectively protect the confidentiality,\nintegrity, and availability of its systems and sensitive data.\n\nRecommendation 3: We recommend that NCUA:\n\n   1) Establish continuing education requirements for its information technology\n      employees.\n\n   2) Complete its implementation of the Learning Management System.\n\nAgency Response: Current policies rely on each OCIO manager\xe2\x80\x99s discretion to\ndetermine the security training required by employees with significant security\nresponsibilities. This is determined each year and documented using the Individual\nDevelopment Plan (IDP) process. This process effectively meets the changing security\ntraining requirements OCIO faces each year. In order to make this process more\nrobust, the agency will require a meeting of managers at the beginning of each IDP\ncycle to establish that year\xe2\x80\x99s security training requirements. These requirements will be\ndocumented and stored with the security plan. This finding has minimal impact on the\nactual security of NCUA systems. The Division of Training and Development\nanticipates the Learning Management System will go live by the end of October 2009.\n\nEstimated completion date for item #1: 5/1/2010\nEstimated completion date for item #2: 10/31/2009\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n\n\n                                           10\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n4. NCUA needs to enhance its procedures for ensuring terminated users and\n   inactive user accounts are disabled or removed from NCUA and external\n   systems.\n\nWe identified active user accounts for terminated NCUA employees on some NCUA\nand external systems. In addition, we identified inactive accounts for current NCUA\nemployees on an NCUA system.\n\nNIST SP 800-12 indicates when user accounts are no longer required, the supervisor\nshould inform the application manager and system management office so accounts can\nbe removed in a timely manner. In addition, NIST SP 800-53, Revision 2, guides that\norganizations:\n   \xef\x82\xb7   Develop, disseminate, and periodically review/update formal, documented\n       procedures to facilitate the implementation of the access control policy and\n       associated access controls.\n\n\n   \xef\x82\xb7   Manage information system accounts, including establishing, activating,\n       modifying, reviewing, disabling, and removing accounts.\n\nIn response to our FY2008 FISMA review, NCUA updated its employee\nenter/exit/change procedures effective May 2009 to facilitate the timely removal of\nterminated employees\xe2\x80\x99 user accounts. In addition, OCIO staff informed us that they\nimplemented a new process in June 2009 to review and disable inactive Active\nDirectory user accounts on a weekly basis. We reviewed the listing of terminated\nNCUA employees against NCUA\xe2\x80\x99s system account listings and determined that seven\nterminated employees had active user accounts on NCUA and external systems. We\nalso identified two user accounts for current employees on one of NCUA\xe2\x80\x99s systems,\nwhich have been inactive for over two years.\n\nWe determined that for all but one employee, NCUA\xe2\x80\x99s new enter/exit/change\nprocedures were not in effect when the terminated employees left the agency prior to\nMay 2009. For the one remaining employee who left the agency in June 2009, we\ndetermined NCUA had not appropriately included in the email notification distribution list\nthe person responsible for adding/removing/changing the user\xe2\x80\x99s access for that system.\nAlso, while NCUA implemented a new process to review and disable inactive Active\nDirectory user accounts, NCUA has not formalized/documented the process.\nFurthermore, the process did not identify the inactive user accounts because the\nprocess only applies to reviewing Active Directory user accounts on the GSS, and the\ninactive user accounts were not on the GSS.\n\nBy not disabling inactive user accounts and not removing the access of terminated\nemployees in a timely manner, existing and former employees may use these accounts\nto obtain unauthorized access to sensitive NCUA data. In addition, NCUA should\nformally document the user account review process to institutionalize and help ensure\nthe continuity and consistent execution of the process within NCUA.\n\n\n                                            11\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n\nRecommendation 4: We recommend that NCUA:\n\n   1) Update the enter/exit/change procedures email notification distribution list to\n      include appropriate personnel for external systems and review this list\n      periodically to ensure the list remains current.\n\n   2) Document the process for reviewing and disabling inactive user accounts on a\n      weekly basis.\n\n   3) Include in the process of reviewing and disabling inactive user accounts, the\n      requirement to review user accounts on network devices and external systems.\n\n   4) Review Active Directory accounts and external system user accounts to identify\n      and remove accounts for employees terminated prior to May 13, 2009.\n\nAgency Response: NCUA agrees with the recommendation. OCIO and OHR will\nimplement the necessary solutions.\n\nEstimated completion date: 12/31/2009\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n5. NCUA needs to improve its System Software Change Procedures.\n\nNCUA has implemented procedures to ensure that information required for a system\nsoftware change request/notification is adequately and properly documented. However,\nNCUA has not incorporated these procedures into its formal system software change\ncontrol policies and procedures. In addition, NCUA has not established change controls\nfor its Commercial Off-The-Shelf (COTS) software.\n\nNIST SP 800-53, Revision 2, guides that the organization:\n   \xef\x82\xb7   Develop, disseminate, and periodically review/update a formal documented\n       configuration management policy that addresses purpose, scope, roles,\n       responsibilities, management commitment, coordination among organizational\n       entities, and compliance.\n\n\n   \xef\x82\xb7   Authorize, document, and control changes to the information system.\n\nIn addition, the FISCAM indicates that a disciplined approach for testing and approving\nnew and modified programs prior to their implementation is essential to make sure\nprograms operate as intended and that no unauthorized changes are introduced.\n\n\n\n\n                                           12\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nNCUA implemented Microsoft SharePoint to document change requests for system\nsoftware components to ensure that all changes are properly documented and\napproved. We determined the change requests are sufficiently detailed and include the\nappropriate approvals. However, NCUA has not updated its official change\nmanagement policies and procedures for its system software to mirror current practice.\nIn addition, NCUA does not have change control procedures for COTS software.\n\nNCUA officials indicated they have not updated the change management policies and\nprocedures due to IT staff resource constraints and additional security priorities taking\nprecedence. By not updating its current change management policies and procedures\nto mirror current practice, NCUA increases the risk that NCUA staff may inadvertently\nfollow the old procedures resulting in unauthorized changes being made to NCUA\nsystems. In addition, by not establishing change control procedures for COTS software,\nNCUA risks the potential loss of the confidentiality, availability, and integrity of the data\nin its COTS systems.\n\nRecommendation 5: We recommend that NCUA\n\n   1) Update its system software change control policies and procedures to reflect the\n      current process.\n\n   2) Establish and document COTS change control policies and procedures.\n\nAgency Response: NCUA agrees with both recommendations. OCIO has already\naddressed these recommendations through replacement of the old procedures in the\nOCIO security plan with the following text:\n\n       3.5.1 Common Controls\n\n       Authorization\n       \xef\x82\xb7 All changes to the production network, servers, systems, and applications will\n       be documented by submitting a Configuration Change Request form. This form\n       is available on OCIO\xe2\x80\x99s site within NCUACentral....\n\n       \xef\x82\xb7 This procedure applies to all staff in the Division of Systems and Technical\n       Support and Division of Product Services, including all contractor staff.\n\n       \xef\x82\xb7 Changes to the production network are not allowed until the Configuration\n       Change Request form has been approved.\n\n       \xef\x82\xb7 The Configuration Change Request form must provide sufficient detail to\n       thoroughly document the proposed change.\n\n       \xef\x82\xb7 In the case of changes to COTS software, the change must follow the\n       instructions supplied by the vendor. Any deviations to this rule must be\n       documented and will be addressed on a case-by-case basis.\n\n\n                                             13\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n\n      \xef\x82\xb7 There are four types of change requests as listed below. Use your best\n      judgment in choosing the type for your requested change.\n\n             \xef\x82\xb7 Informational - The change is routine and does not require explicit\n             authorization by a Division Director. An information period of 12 hours\n             must elapse before this change request is automatically approved to allow\n             time for review and comment by the configuration control distribution list.\n             The change may not proceed until this period has elapsed, nor may it\n             proceed if comments are received until those comments are resolved.\n\n             \xef\x82\xb7 Authorization - Both Division Directors must authorize the change\n             before it can be implemented. Also, an information period of 24 hours\n             must elapse before this change request is approved to allow time for\n             review and comment by the configuration control distribution list. The\n             change may not proceed until this period has elapsed and both division\n             directors have approved the change, nor may it proceed if comments are\n             received until those comments are resolved.\n\n             \xef\x82\xb7 Emergency - This is where the CIO, Deputy CIO, or person acting on\n             their behalf has directed you to make a change right away. Division\n             Directors may not authorize emergency changes. If possible, submit the\n             Configuration Change Request form prior to implementing the change.\n\n             \xef\x82\xb7 Committee - This change is extensive or involves significant\n             architectural changes to the production network. Such changes warrant\n             review by the Change Control Committee and approval by both Division\n             Directors before proceeding. Brand new systems or applications would be\n             examples warranting review by the Change Control Committee.\n\n\n      Examples of changes warranting configuration control:\n         \xef\x82\xb7 Any change to a production system, except those listed in the exceptions\n           below,\n         \xef\x82\xb7 Hardware upgrades,\n         \xef\x82\xb7 Operating system upgrades and Service Packs,\n         \xef\x82\xb7 Software upgrades and/or changes,\n         \xef\x82\xb7 Firewall configuration changes,\n         \xef\x82\xb7 Switch and router configuration changes,\n         \xef\x82\xb7 Changes to laptop configuration including SMS updates.\n\n\n      Exceptions to this policy:\n         \xef\x82\xb7 Developmental servers, systems, and applications running in the\n            development environment do not require a Change Request form,\n         \xef\x82\xb7 Changes resulting from an employee add/change/exit action,\n\n\n                                          14\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n             \xef\x82\xb7    Hot-fixes and patches to the Windows OS on production systems,\n             \xef\x82\xb7    Internet or Intranet web (HTML) content changes,\n             \xef\x82\xb7    E-Library changes.\n             \xef\x82\xb7    Internet or Intranet web (HTML) content changes,\n             \xef\x82\xb7    E-Library changes.\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s action.\n\n\n6. NCUA needs to establish adequate segregation of duty controls5 for its\n   applications.\n\nNCUA has begun to take steps to remedy the segregation of duties issues with its\napplications; however, NCUA has not fully addressed the recommendations from prior\nyear FISMA reviews. This finding pertains to a FY 2007 finding, which was repeated in\nthe FY 2008 FISMA evaluation.\n\nNIST SP 800-53, Revision 2, indicates that information systems should enforce\nsegregation of duties through assigned access authorizations. The organization should\nestablish appropriate divisions of responsibility and separate duties as needed to\neliminate conflicts of interest in the responsibilities and duties of individuals.\n\nNCUA does not have adequate controls for segregation of duties in place for its\napplications. Specifically, we determined that NCUA has not addressed the following\nfindings from our 2008 FISMA review:\n\n    \xef\x82\xb7    Programmers for three of NCUA\xe2\x80\x99s FISMA systems were improperly authorized\n         access to both development and production application environments.\n\n    \xef\x82\xb7    A single administrator of NCUA\xe2\x80\x99s financial system had sole responsibility for\n         managing system operations in the systems production environment.\n\n    \xef\x82\xb7    One senior programmer had access to all of the NCUA production environments\n         without documented justification or compensating controls.\n\n    \xef\x82\xb7    NCUA had not documented and implemented policy and procedures enforcing\n         periodic supervisory review and monitoring of programmer activities.\n\nIn response to these previous findings, NCUA agreed to implement our\nrecommendations to resolve these issues. However, while NCUA officials indicated\nthey are in the process of implementing the recommendations, they are not complete.\n\n5\n  Segregation of duties is the practice of dividing the steps in a critical function among different individuals. For\nexample, one system programmer can create a critical piece of operating system code; while, another authorizes its\nimplementation. Such a control keeps a single individual from subverting a critical process.\n\n\n                                                         15\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nBy not restricting programmer access to production environments and not monitoring\nsystems with limited or non-existent segregation of duties, NCUA increases the risk that\nintentional or unintentional error, alteration, or deletion of data within its systems may\noccur. This could negatively impact NCUA by affecting the quality and accuracy of the\ndata it provides to its customers and its examiners.\n\n\nRecommendation 6: We recommend that NCUA:\n\n    1) Examine existing roles and responsibilities of all OCIO programmers/computer\n       specialists/SAP administrators and define residual risks associated with\n       segregation of duties conditions created by organizational constraints.\n\n    2) Establish and implement compensating controls if segregation of duties conflicts\n       cannot be easily resolved.\n\nAgency Response: NCUA agrees and is in the process of implementing these\nrecommendations.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n7. NCUA needs to complete e-authentication risk assessments6 for its FISMA\n   systems.\n\nNCUA has not specifically addressed e-authentication risk considerations. This is a\nrepeat finding from the FY 2006, FY 2007, and FY 2008 FISMA evaluations.\n\nOMB Memorandum M-04-04 requires agencies to conduct e-authentication risk\nassessments specifically to review new and existing electronic transactions to ensure\nthat authentication processes provide the appropriate level of assurance. In addition,\nthe guidance applies to the remote authentication of human users of federal agency IT\nsystems for the purposes of conducting government business electronically.\n\nWhile NCUA has completed formal risk assessments for its six FISMA systems, NCUA\ndid not specifically address e-authentication risk considerations. NCUA officials\nindicated they have not completed e-authentication risk assessments due to IT staff\nresource constraints and additional security priorities taking precedence. NCUA\nofficials also indicated that the recommendation is currently in the process of being\ncompleted, but is past NCUA\xe2\x80\x99s stated completion date of June 1, 2009. By not\n\n\n6\n An e-authentication risk assessment identifies key user roles and transactions within the application; organizes\nconsequences of false positive authentication and impacts to the agency; and aids in mapping the application to a set\nof pre-defined authentication criteria by aligning each transaction to a consequence level.\n\n\n                                                         16\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\ncompleting e-authentication risk assessments, the NCUA is not compliant with OMB\npolicy.\n\nRecommendation 7: We recommend that NCUA complete the e-authentication risk\nassessment process in accordance with OMB Memorandum 04-04, E-Authentication\nGuidance for Federal Agencies.\n\nAgency Response: NCUA agrees and would like to note that this finding has no\nimpact on the actual security of NCUA systems.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions. The OIG also notes\nthat by conducting e-authentication risk assessments in accordance with OMB\nrequirements, NCUA will meet OMB\xe2\x80\x99s goal of ensuring that there is a consistent\nauthentication process across the federal government that provides the appropriate\nlevel of assurance about user identities presented electronically on information systems.\n\n\n8. NCUA needs to incorporate specific security and response time requirements\n   in the Service Level Agreement (SLA) for its Intrusion Detection System (IDS).\n\nNCUA has a formal SLA with its IDS provider. However, the SLA does not describe\nspecific security and response time requirements the service provider must meet\nincluding adherence to OMB, FISMA, NIST, and US-CERT (United States Computer\nEmergency Readiness Team) requirements.\n\nNIST SP 800-53, Revision 2, guides that the organization: (i) require providers of\nexternal information system services to employ adequate security controls in\naccordance with applicable laws, Executive Orders, directives, policies, regulations,\nstandards, guidance, and established service-level agreements; and (ii) monitor security\ncontrol compliance.\n\nNCUA officials and the IDS service provider indicated that they have not formally\nincorporated specific security considerations and response times in the SLA because\nthe service was purchased through a grandfathered GSA schedule agreement. By\nestablishing specific security considerations and response time requirements in the SLA\nthat the service provider must meet, NCUA can help ensure that it will meet the\nreporting requirements of OMB, NIST, FISMA, and US-CERT.\n\nRecommendation 8: We recommend that NCUA update the Service Level Agreement\nwith its Intrusion Detection System service provider to define the necessary security and\nresponse time requirements, as mandated by OMB, the National Institute Standards\nand Technology, FISMA, and the United States Computer Readiness Team.\n\n\n\n\n                                           17\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nAgency Response: The current intrusion detection service is under review for possible\nreplacement. If we keep the current system past the end of the year, we will establish\nan SLA with the current vendor.\n\nEstimated completion date: 12/31/2009\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n9. NCUA needs to improve its remote access controls.\n\nWhile the NCUA remote access timeout feature is enabled, the setting exceeds OMB\nrequirements. In addition, NCUA administrators used a shared account to log into the\nvirtual private network (VPN) concentrators, which regulates remote access to the\nNCUA network.\n\nOMB Memorandum M-07-16, Attachment 1, Section C, Security Requirements, requires\nthat organizations use a time-out function for remote access and mobile devices\nrequiring user re-authentication after 30 minutes of inactivity. Also, NIST SP 800-53,\nRevision 2, guides that all information systems uniquely identify and authenticate users\n(or processes acting on behalf of users).\n\nNCUA\xe2\x80\x99s remote access time-out function is currently set to allow 300 minutes of\ninactivity before it disconnects. In addition, the VPN concentrators have a generic\nadministrator account that multiple administrators share using a common password.\n\nNCUA management indicated that the extended inactivity time limit on its VPN\nconnection is necessary to perform system updates to the majority of NCUA staff who\nwork remotely. NCUA management noted that many remote users access the VPN\nusing a slower connection. Therefore, the required 30 minute inactivity time is not\nsufficient for NCUA to provide updates to the users. NCUA management explained that\nthey believe the risk exposed by the current remote access inactivity time setting is\nmitigated by the mandatory NCUA screen saver function which is set to lock access to\nthe computer after 15 minutes. In addition, NCUA officials indicated that the generic\naccount was a default account used on the VPN concentrator as a backup to the\nindividual user accounts. However, we observed that it became common practice for\nthe administrators to use the generic account because it contained all administrator\nrights. NCUA officials disabled the generic account during our review; therefore, we are\nnot making a recommendation regarding this issue.\n\nLimiting the remote access inactivity time-out function to meet OMB requirements helps\nreduce the exposure of NCUA\xe2\x80\x99s remote access connections to malicious users who\nmay try to exploit potential vulnerabilities. In addition, accounts shared by more than\none user cannot uniquely identify, authenticate, and log the personnel accessing the\naccount. Therefore, audit and accountability controls would not be effective on the VPN\nconcentrators. Consequently, it would be difficult for NCUA officials to identify which\n\n\n\n                                           18\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nadministrator was accountable for authorized, but more importantly, unauthorized\nconfiguration changes to the VPN concentrator.\n\nRecommendation 9: We recommend that NCUA:\n\n   1) Adjust the remote access inactivity time-out function on its VPN concentrators to\n      30 minutes.\n\n   2) Perform a review of all accounts on all systems and network devices to\n      determine if other shared accounts exist and periodically review the systems in\n      the future.\n\nAgency Response: OCIO will attempt to implement a 60 minute inactivity time-out\nsetting with a pop-up banner that warns the user that the connection will be dropped.\nExisting compensating controls will mitigate any residual risk.\n\nNCUA agrees regarding #2\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG re-emphasizes that NCUA\xe2\x80\x99s planned actions do not meet the\nOMB requirement to implement an inactivity time-out function of 30 minutes. However,\nthe OIG also noted during the review that one of NCUA\xe2\x80\x99s compensating controls is an\naccess lock-out screen saver on its remote devices that requires users to\nre-authenticate to the device after 15 minutes of inactivity.\n\n\n10. NCUA needs to enhance its information privacy and security awareness\n    program.\n\nNCUA conducts annual computer security awareness training and certification to\naddress the privacy and security of electronic information. However, NCUA\xe2\x80\x99s\ninformation privacy and security training program is not comprehensive.\n\nOMB Memorandum M-07-16 requires that agencies initially train employees (including\nmanagers) on their privacy and security responsibilities before permitting access to\nagency information and information systems. Thereafter, agencies must provide at\nleast annual refresher training to ensure employees continue to understand their\nresponsibilities. Both initial and refresher training must include acceptable rules of\nbehavior and the consequences when the rules are not followed. OMB Memorandum\nM-07-16 also requires that agencies ensure all individuals with authorized access to\nPersonally Identifiable Information (PII) and their supervisors sign at least annually a\ndocument clearly describing their responsibilities.\n\nNCUA\xe2\x80\x99s information privacy and security program does not provide for annual training\nand awareness on the privacy and security of non-electronic information. In addition,\n\n\n\n                                           19\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nNCUA does not require employees with access to PII (electronic or non-electronic) and\ntheir supervisors to annually certify their responsibilities.\n\nNCUA was not aware of OMB\xe2\x80\x99s requirements (1) to provide annual privacy and security\ntraining on all forms of information, or (2) to have employees and managers with access\nto PII to annually certify their responsibilities. By providing its employees with annual\nprivacy and security training on all forms of information and requiring applicable\nemployees and their managers to certify their PII responsibilities, NCUA can help\nensure all employees who maintain, collect, use, or disseminate electronic and\nnon-electronic information and PII will take necessary precautions to mitigate the\nunintentional disclosure of sensitive personal information. For example, the OIG\nconducted an after-hours walkthrough during this review. We found unsecured\nsensitive information, including PII in several offices and cubicles. The documents were\neither left out on individuals\xe2\x80\x99 desks or the keys to access locked desks and cabinets\ncontaining sensitive information were unsecured.\n\nRecommendation 10: We recommend that NCUA establish an information privacy\nand security awareness program, which requires:\n\n   1) NCUA to train its employees annually on their privacy and security\n      responsibilities for non-electronic information; and\n\n   2) Employees with authorized access to personally identifiable information (and\n      their supervisors) to sign that they understand their responsibilities for that\n      information.\n\nAgency Response: NCUA has conducted on-line, annual computer security\nawareness training for employees. In addition, over the last two years, NCUA updated\nthe agency\xe2\x80\x99s Privacy Act of 1974 instruction and provided Privacy Act training to all\nemployees at management and regional conferences and through live video training for\nemployees not included in the conferences. Staff recognizes the deficiency as far as\nproviding comprehensive privacy and security training for both electronic and non-\nelectronic formats under FISMA. The annual computer security awareness training has\nnow been revised and enhanced to include training on information privacy and security.\nThis training will be completed for all employees by 10-31-2009. Staff will develop,\npotentially as part of the IDP or annual appraisal process or as part of the Learning\nManagement System, a means for employees with access to PII and their supervisors\nto certify that they understand their responsibilities.\n\nEstimated completion date for part 1: 10/31//2010\nEstimated completion date for part 2: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n\n\n                                           20\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n11. NCUA needs to update its web site privacy policy.\n\nThe NCUA.GOV web site privacy policy is not translated into a standardized,\nmachine-readable format7, such as the Platform for Privacy Preferences Project\nProtocol8 (P3P).\n\nOffice of Management and Budget (OMB) Memorandum M-03-22, OMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002, requires federal\nagencies to post privacy policies on agency web sites used by the public and translate\nthe policies into a standardized, machine-readable format.\n\nNCUA officials indicated they have not updated the NCUA.GOV web site to include its\nprivacy policy in a standardized, machine-readable format due to IT staff resource\nconstraints and additional security priorities taking precedence. By translating its web\nsite privacy policies into a standard, machine-readable format, NCUA can ensure that\nthe web site privacy policies can be read across multiple types of browsers. This will\nnot only help ensure users are informed of web site privacy practices, but will also\nensure browser-based automated decision-making based on these practices, such as\naccepting cookies, when appropriate.\n\nRecommendation 11: We recommend that NCUA:\n\n    1) Translate the privacy policies on NCUA.GOV into a standardized,\n       machine-readable format.\n\n    2) Review other NCUA web sites and translate the privacy policies into a\n       standardized, machine-readable format.\n\nAgency Response: NCUA agrees and would like to note that this finding has minimal\nimpact on the actual security of NCUA systems.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n\n\n7\n  A machine-readable format can be scanned or otherwise accessed directly by a computer.\n8\n  The Platform for Privacy Preferences Project (P3P) enables web sites to express privacy practices in a standard\nformat that can be retrieved automatically and interpreted easily by user agents (e.g., web browsers). P3P user\nagents will allow users to be informed of site practices (in both machine- and human-readable formats) and to\nautomate decision-making based on these practices when appropriate. Therefore, users need not read the privacy\npolicies at every site they visit.\n\n\n                                                        21\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n12. NCUA needs to improve its process for certifying its FISMA systems.\n\nNCUA does not conduct an independent assessment of the security controls on four of\nits six FISMA systems.\n\nNIST SP 800-53, Revision 2, guides organizations with \xe2\x80\x9cmoderate\xe2\x80\x9d or \xe2\x80\x9chigh\xe2\x80\x9d information\nsystems to employ an independent certification agent or certification team to conduct an\nassessment of the security controls in the information system. Also, NIST SP 800-37\nindicates that to preserve the impartial and unbiased nature of the security certification,\nthe certification agent should be in a position that is independent from the persons\ndirectly responsible for the development of the information system and the day-to-day\noperation of the system. The certification agent should also be independent of those\nindividuals responsible for correcting security deficiencies identified during the security\ncertification. The independence of the certification agent is an important factor in\nassessing the credibility of the security assessment results and ensuring the authorizing\nofficial receives the most objective information possible in order to make an informed,\nrisk-based accreditation decision.\n\nWe noted that NCUA\xe2\x80\x99s own Information Security Officer9 (ISO) certified four of its six\nFISMA systems categorized as \xe2\x80\x9cmoderate\xe2\x80\x9d. NCUA indicated that the ISO is performing\nthe certification duties due to IT staff resource constraints. However, using an\nindependent agent to certify all of its FISMA systems categorized as \xe2\x80\x9cmoderate\xe2\x80\x9d or\n\xe2\x80\x9chigh\xe2\x80\x9d will help ensure NCUA\xe2\x80\x99s authorizing official10 receives the most objective\ninformation possible in order to make an informed, risk-based accreditation decision.\n\nRecommendation 12: We recommend that NCUA employ an independent certification\nagent or certification team to conduct an assessment of the security controls in NCUA\ninformation systems categorized as \xe2\x80\x9cmoderate\xe2\x80\x9d or \xe2\x80\x9chigh.\xe2\x80\x9d\n\nAgency Response: NCUA agrees and plans to let the current certifications stand until\nit is time for re-certification. At that time, there will be two large systems instead of six\nsmaller ones. (The Office of Examination and Insurance systems --CRS, IIS, and\nESS\xe2\x80\x94will be annexed in the GSS.) NAS will be out-sourced by that time, leaving\nAMAC and the new GSS as the only systems. The Agency will contract with an\nindependent certification agent to certify these two systems. The agency-wide security\nplan will be updated to reflect these changes.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n\n\n9\n  An information security officer is responsible for setting an agency's overall security policy.\n10\n   The authorizing official is a senior management official or executive with the authority to formally assume\nresponsibility for operating an information system at an acceptable level of risk to agency operations, agency assets,\nor individuals.\n\n\n                                                          22\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\n13. NCUA needs to complete its FY2009 security awareness training.\n\nWhile NCUA has an information security awareness program, it has not provided\nsecurity awareness training to NCUA employees and contractors for FY 2009.\n\nNIST SP 800-53, Revision 2, guides that organizations provide basic security\nawareness training to all information system users (including managers and senior\nexecutives) before authorizing access to the system, when required by system changes,\nand thereafter. Also, NIST SP 800-50 provides that agencies must establish an\neffective security awareness and training program to ensure that users are appropriately\ntrained in the rules of behavior for the systems and applications to which they have\naccess.\n\nNCUA has not initiated and completed its security awareness training to its employees\nand contractors. NCUA officials informed us they are updating the security awareness\ntraining and planned to deploy it to employees and contractors in July 2009 with a\nplanned completion by September 2009. When NCUA completes its security\nawareness training, it will help ensure employees and contractors mitigate the risks that\nNCUA systems will be exposed to vulnerabilities that put confidentiality, integrity, and\navailability of NCUA systems and sensitive data at risk.\n\nRecommendation 13: We recommend that NCUA complete its FY 2009 annual\nsecurity awareness training of all employees and contractors.\n\nAgency Response: NCUA agrees.\n\nEstimated completion date: 10/31/2009\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned action.\n\n\n14. NCUA needs to complete an Authorization to Operate for one of its\n    information systems.\n\nWhile NCUA has current Authorizations to Operate (ATO)11 on five of its six FISMA\nsystems, the agency does not have an ATO for the remaining information system.\n\nNIST SP 800-53, Revision 2, guides that organizations authorize (i.e., accredit) their\ninformation system for processing before operations and update the authorization at\nleast every three years or when there is a significant change to the system. A senior\norganizational official signs and approves the security accreditation. In addition, NIST\n800-37 indicates the authorizing official can also: (i) issue an interim authorization to\n\n11\n   After assessing the results of the security certification, the authorizing official determines that the risk to agency\noperations, agency assets, or individuals is acceptable and issues an authorization to operate for the information\nsystem. The authorizing official authorizes the information system without any significant restrictions or limitations on\nits operation.\n\n\n                                                           23\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\noperate12 the information system under specific terms and conditions; or (ii) deny\nauthorization to operate the information system (or if the system is already operational,\nhalt operations) if unacceptable security risks exist.13\n\nWe noted NCUA does not have an ATO for its GSS because it expired this year: NCUA\nofficials indicated that the parties involved in certifying and accrediting the system are\nstill in the process of addressing findings. Therefore, NCUA has not been able to sign\nthe ATO, which allows NCUA to attest that the risk(s) the systems may present, if any,\nto its operations, assets, or individual are acceptable. However, NCUA officials indicate\nthey have an interim authority to operate.\n\nRecommendation 14: We recommend that NCUA complete the certification and\naccreditation process for the general support system and issue the Authorization to\nOperate as soon as possible.\n\nAgency Response: NCUA agrees. OCIO staff is currently working on completing the\nGSS certification and accreditation.\n\nEstimated completion date: 5/1/2010\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n15. NCUA needs to improve its contingency planning program for its FISMA\n    systems.\n\nNCUA does not have policies and procedures for system owners for developing,\nmaintaining and testing disaster recovery/contingency plans. In addition, NCUA has not\ndeveloped a contingency test plan for the NCUA Accounting System (NAS) and has not\ncompleted testing of NAS for FY 2009. This issue is a repeat finding from the FY 2008\nFISMA review.\n\nNIST SP 800-53, Revision 2, guides that organizations:\n\n     \xef\x82\xb7   Test and/or exercise the contingency plan for the information system at least\n         annually, using organization-defined tests or exercises to determine the plan\xe2\x80\x99s\n         effectiveness and the organization\xe2\x80\x99s readiness to execute the plan.\n\n     \xef\x82\xb7   Review the contingency plan test/exercise results and initiate corrective actions.\n\nIn response to the FY 2008 FISMA review, NCUA officials agreed with our\nrecommendation to establish policies and procedures for developing, maintaining, and\ntesting disaster recovery and contingency plans. They agreed to complete this by\n\n12\n  In its FY 2009 Reporting Instructions, OMB indicates it does not recognize the interim authority to operate.\n13\n  An interim authorization provides a limited authorization to operate the information system under specific terms and\nconditions and acknowledges greater risk to the agency for a specified period of time.\n\n\n                                                         24\n\x0cREPORT #OIG-09-02: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2009\n\n\nJune 1, 2009. In addition, they agreed to test and update the plans at least annually.\nHowever, NCUA officials have not developed an overall policy and procedure that\nprovides guidance to system owners for developing, maintaining, and testing\ncontingency plans. In addition, NCUA officials do not have a contingency plan to test\nNAS and did not complete FY 2009 contingency plan testing for NAS. Furthermore,\nwhile NCUA completed contingency plan testing for GSS, they could not provide the\ncontingency plan for GSS. NCUA officials indicated they are in the process of\ndeveloping the contingency plans for NAS and GSS, but they did not provide an\nestimated completion date.\n\nBy not developing overall policies and procedures, and routinely testing and updating its\nIT system disaster recovery and contingency plans, NCUA cannot ensure its ability to\ncontinue operations for information systems that support its operations and assets.\n\nRecommendation 15: We recommend that NCUA:\n\n   1) Establish policies and procedures for developing, maintaining, and testing\n      disaster recovery and contingency plans, and test and update the plans at least\n      annually;\n\n   2) Document the contingency plan for the NCUA Accounting System (NAS) and\n      NCUA General Support System (GSS).; and\n\n   3) Test the NAS contingency plan prior to the end of FY 2009.\n\nAgency Response: NCUA agrees.\n\n\nEstimated completion date for items #1 and #2: 5/1/2010\nEstimated completion date for item #3: 12/31/2009.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned actions.\n\n\n\n\n                                           25\n\x0c"